Threat Database Ransomware Ransoc Screenlocker

Ransoc Screenlocker

By GoldSparrow in Ransomware

The Ransoc Screenlocker is a Trojan that is adapted to browsers and desktops. Security researchers have come across versions of the Ransoc Screenlocker Trojan that are aimed at locking the desktop and Internet browser of the compromised user. The Ransoc Screenlocker Trojan resembles the functionality we have seen with the Sharecash Screenlocker and the zScreenlocker Ransomware. The Ransoc Screenlocker is designed to limit the user's control of a particular application and the desktop as whole, displays a 'Penalty Notice' and demands the user pays $100 via direct credit card transaction. The Ransoc Screenlocker is dispersed among Windows OS users via malvertising campaigns and tools like the Nuclear Exploit Kit.

The Ransoc Screenlocker Utilizes Target Profiling to Generate a Personalized Screenlock

Some researchers believe the Ransoc Screenlocker Trojan is the next generation of ransowmare due to its advanced features, which include target profiling facilitated by a complex data analysis algorithm. The Ransoc Screenlocker is rather unique compared to other screen lockers we have seen in the past. The Ransoc Screenlocker Trojan is equipped with a scan routine that is programmed to look for filenames, strings, images, and videos associated with cracked software, child pornography and credit card data. Moreover, the Ransoc Screenlocker Trojan can access data in third-party applications like your IM clients, browsers and torrent clients. Analysis revealed that the Ransoc Screenlocker could take a photo of the computer user by calling Webcams connected to the PC. The following details are collected by the Ransoc Screenlocker and used to generate a personalized 'Penalty Notice' screenlock:

  • Name
  • Birthday
  • Phone
  • Email
  • Location Area
  • Skype Account Details
  • Facebook Account Details
  • Linkedin Account Details
  • IP Address
  • CPU Details
  • System Details
  • PC Name
  • Username

The Ransoc Screenlocker Does not Encrypt Files Like Encryption Trojans Do

As stated above, the Ransoc Screenlocker is not a typical Ransomware and does not encrypt files. The Ransoc Screenlocker can prevent keyboard shortcuts from being activated, as well as disable the Command Prompt, the Registry Editor and the Task Manager. The Ransoc Screenlocker leaves the user with the 'Penalty Notice' screen lock on the foreground and a message that features the following text:

'PENALTY NOTICE
PENALTIES DETAILS
Amount: $100
Due date: [24 hours from the date of issue]
Remaining: [countdown timer]
WE HEREBY INFORM YOU THAT ON YOUR PC FOUND
1. CHILD SEXUAL ABUSE MATERIALS $200,000 40 years in prison
2. MATERIALS THAT VIOLATE THE INTELECTUAL PROPERTY RIGHTS $150,000 er instance
3. SUSPICIOUS ACTIVITY $100,000 10 years in prison
In the course of pre-trial settlement in case of removal of all detected violations and payment of the fine within 3 hours since the receipt of this notice
ALL ACTIONS WILL BE STOPPED AND THE PROCEEDINGS WILL BE CEASED!
(ALL MONEY WILL BE REFUNDED TO YOU IF YOU ARE NOT CAUGHT AGAIN WITHIN 180 DAYS)
You must pay penalty within 3 hours to settle the case out of court. In case of failure to comply claims
ALL COLLECTED DATA WILL BE MADE PUBLIC AND THE CASE GOES TO TRIAL!'

The Authors of the Ransoc Screenlocker are not Moved by Altruistic Motives

Some may think that the developer of the Ransoc Screenlocker may be trying to raise awareness of violations of intellectual rights and cases where child pornography is involved. However, the maker of the Ransoc Screenlocker uses the fear of legal prosecution that users with pirated content and child pornography have from monetary gain. Understandably, users who run pirated software and indulge in sinful content may not file a formal complaint in their local police department, and the operator of the Ransoc Screenlocker can continue collecting 'penalty fees' from pre-trial settlements. The Ransoc Screenlocker Trojan is known to place its files in the C:\Users\[your_name]\AppData\Local\Temp\Low and users are not advised to remove the Trojan manually since they might miss some files. Experts recommend removing the Ransoc Screenlocker with the help of a reliable anti-malware scanner. There are reports that the Ransoc Screenlocker contacts its 'Command and Control' servers located on the 89.163.144.64 and 136.243.147.14 IP addresses and AV vendors may flag files used by the Trojan as:

  • GenericR-ITG!D5738A0199B5
  • TR/Dldr.Agent.gakkp
  • TROJ_GEN.R00XC0DK816
  • Trojan.Agent!eQewVzVBG7Q
  • Trojan.GenericKD.3677949
  • Trojan/Win32.Agent.N2148378379
  • Trojan:Win32/Dynamer!ac
  • W32/Trojan.JWOZ-3311

SpyHunter Detects & Remove Ransoc Screenlocker

File System Details

Ransoc Screenlocker may create the following file(s):
# File Name MD5 Detections
1. File.exe 30bf1d54830eb4223f0f3e68d113ff5d 0

Trending

Most Viewed

Loading...